b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 A Complete Certification and Accreditation\n                  Is Needed to Ensure the Electronic Fraud\n                Detection System Meets Federal Government\n                            Security Standards\n\n\n\n                                      September 29, 2006\n\n                              Reference Number: 2006-20-178\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 2(d) = Law Enforcement Technique(s)\n 2(e) = Law Enforcement Procedure(s)\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 29, 2006\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n                CHIEF, CRIMINAL INVESTIGATION\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 A Complete Certification and Accreditation Is\n                             Needed to Ensure the Electronic Fraud Detection System Meets Federal\n                             Government Security Standards (Audit # 200620040)\n\n This report presents the results of our review to assess the effectiveness of security controls over\n the Electronic Fraud Detection System (EFDS) by evaluating its certification and accreditation\n (C&A) packages.\n\n Impact on the Taxpayer\n The EFDS, an automated compliance system, was designed to maximize fraud detection at the\n time tax returns are filed to prevent the issuance of questionable refunds. Security certifications\n conducted for the EFDS have been incomplete since October 2001, resulting in limited assurance\n that EFDS security controls are effective in protecting taxpayer information from unauthorized\n disclosure. This is especially significant because the EFDS contains the Internal Revenue\n Service\xe2\x80\x99s (IRS) second largest repository of taxpayer information.\n\n Synopsis\n The IRS uses its enforcement authority to collect taxes due from individuals who do not fulfill\n their tax obligations. The IRS Criminal Investigation function is responsible for detecting and\n investigating criminal violations of the Internal Revenue Code and financially related crimes.\n The EFDS is the primary system used by the Criminal Investigation function to identify\n questionable tax return refunds.\n\x0c                  A Complete Certification and Accreditation Is Needed to Ensure\n                      the Electronic Fraud Detection System Meets Federal\n                                 Government Security Standards\n\n\nSince its initial development in 1995, the EFDS has gone through significant changes. The\nEFDS began as a client server application, allowing users to access the application through the\nIRS network. In June 2001, the IRS approved the conversion to a web-based application, which\nwould enable users to access the EFDS through the IRS Intranet. While the web-based\napplication was under development, the client server application continued to operate. The\nweb-based application was expected to be available to process tax returns in 2006, so the client\nserver application was shut down in December 2005. However, the web-based application never\nbecame operational. In April 2006, the IRS decided to restore the client server application to\nprocess tax returns in 2007.\nBecause the EFDS contains and processes highly sensitive taxpayer information, the security\nover the system is paramount to ensure all data are protected from unauthorized access and\nmisuse. To ensure systems are secure, Federal Government Security Standards1 dictate that all\nsystems and applications be certified and accredited every 3 years or when major changes are\nmade to the system. The Mission Assurance and Security Services (MA&SS) organization has\nresponsibility to certify IRS systems. Part of that role is to ensure security controls are\nadequately tested. The system owner uses the results of those tests to authorize the system\xe2\x80\x99s\noperation and by doing so accepts the risks associated with that system.\nOverall, the security controls for the EFDS have not been adequately tested since October 2001.\nAs a result, system owners accredited the systems with only limited assurance that security\ncontrols were effective to protect taxpayer information from being inappropriately accessed or\nmisused. Our review assessed three separate components of the EFDS: the client server\napplication,2 the web-based application,3 and the computers supporting the EFDS application.\nWhen the EFDS client server application was certified and accredited in August 2004, the testing\nto support the certification did not follow IRS policies and Federal Government Security\nStandards. Key application security controls were not tested. Instead, the C&A was based solely\non the security of the supporting Windows-based operating system.\nTests were not adequate because the MA&SS organization omitted steps in the certification\nprocess in order to meet its goal of certifying and accrediting 100 percent of IRS systems by the\nend of Fiscal Year 2004. Emphasis was placed on ensuring system owners signed accreditation\nmemoranda rather than performing adequate tests. In the fourth quarter of Fiscal Year 2004, the\nIRS certified and accredited 30 major applications, which included the EFDS, representing over\none-half of its inventory of major applications at the time.\nPrior to the IRS\xe2\x80\x99 decision to stop all development of the EFDS web-based application, we\nevaluated its January 2006 C&A to determine whether it met IRS security standards. We\n\n\n1\n  Appendix III to Office of Management and Budget Circular A-130, Security of Federal Automated Information\nResources.\n2\n  The client server application allows users to access the EFDS system internally on the network.\n3\n  A system development effort that would allow users to access the EFDS via the IRS Intranet.\n                                                                                                              2\n\x0c\x0c               A Complete Certification and Accreditation Is Needed to Ensure\n                   the Electronic Fraud Detection System Meets Federal\n                              Government Security Standards\n\n\nBusiness Operating Divisions, to determine the recovery priority for critical business processes\nand major applications. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                   4\n\x0c                     A Complete Certification and Accreditation Is Needed to Ensure\n                         the Electronic Fraud Detection System Meets Federal\n                                    Government Security Standards\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Security Controls for the Electronic Fraud Detection System Client\n          Server Application Have Not Been Adequately Tested Since 2001.............Page 4\n                    Recommendation 1:..........................................................Page 6\n\n          If the Web-Based Electronic Fraud Detection System Had Become\n          Operational, It May Have Allowed Unauthorized Access to Taxpayer\n          Information ...................................................................................................Page 6\n                    Recommendation 2:..........................................................Page 7\n\n          Unresolved Weaknesses at the Enterprise Computing Center-Memphis\n          May Affect the Security and Recovery of the Electronic Fraud Detection\n          System Client Server Application.................................................................Page 8\n                    Recommendation 3:..........................................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 13\n\x0c        A Complete Certification and Accreditation Is Needed to Ensure\n            the Electronic Fraud Detection System Meets Federal\n                       Government Security Standards\n\n\n\n\n                        Abbreviations\n\nBIA                 Business Impact Analysis\nC&A                 Certification and Accreditation\nCI                  Criminal Investigation\nECC-MEM             Enterprise Computing Center-Memphis\nEFDS                Electronic Fraud Detection System\nFY                  Fiscal Year\nIRS                 Internal Revenue Service\nMA&SS               Mission Assurance and Security Services\nNIST                National Institute for Standards and Technology\nPOA&M               Plan of Actions and Milestones\nPY                  Processing Year\n\x0c                  A Complete Certification and Accreditation Is Needed to Ensure\n                      the Electronic Fraud Detection System Meets Federal\n                                 Government Security Standards\n\n\n\n\n                                          Background\n\nThe Internal Revenue Service (IRS) uses its enforcement authority to collect taxes due from\nindividuals who do not fulfill their tax obligations. Noncompliance may not be deliberate and\ncan stem from a wide range of causes, including lack of knowledge, confusion, poor record\nkeeping, differing legal interpretations, unexpected personal emergencies, and temporary cash\nflow problems. However, some noncompliance may be willful, even to the point of criminal tax\nevasion. The IRS Criminal Investigation (CI) function is responsible for detecting and\ninvestigating criminal violations of the Internal Revenue Code and financially related crimes.\nThe Electronic Fraud Detection System (EFDS), an\nautomated compliance system, is the primary\ninformation system used to support the CI function\xe2\x80\x99s                The EFDS is used to maximize\n                                                                    fraud detection at the time that\nQuestionable Refund Program.1 The EFDS was                          tax returns are filed to prevent\ndesigned to maximize fraud detection at the time that tax            the issuance of questionable\nreturns are filed to prevent the issuance of questionable                      refunds.\nrefunds. It is generally harder and more costly to\nrecover fraudulent refunds once they have been issued.\nSince its initial development in 1995, the EFDS has gone through significant changes. In\nJune 2001, the IRS approved the conversion of the existing client server application2 to a\nweb-based application.3 From Processing Years (PY)4 2001 through 2005, the client server\napplication continued to operate as the web-based application was under development. The new\napplication was initially expected to be available for PY 2005, but was subsequently delayed\nuntil PY 2006 due to system development problems. In December 2005, the client server\napplication was shut down because of the impending release of the web-based application.\nHowever, the web-based application never became operational. In April 2006, the IRS decided\nto restore the client server application for PY 2007.\nBecause the EFDS contains and processes highly sensitive taxpayer information, the security\nover the system is paramount to ensure all data are protected from unauthorized access and\nmisuse. Federal Government Security Standards issued by the Office of Management and\nBudget5 require that all systems and applications must be certified and accredited every 3 years\n\n\n1\n  A nationwide program established to detect and stop fraudulent claims for refunds on income tax returns.\n2\n  The client server application allows users to access the EFDS system internally on the IRS network.\n3\n  A system development effort that would allow users to access the EFDS via the IRS Intranet.\n4\n  A PY is the year in which tax returns and other tax data are processed by the IRS.\n5\n  Appendix III to Office of Management and Budget Circular A-130, Security of Federal Automated Information\nResources.\n                                                                                                       Page 1\n\x0c                  A Complete Certification and Accreditation Is Needed to Ensure\n                      the Electronic Fraud Detection System Meets Federal\n                                 Government Security Standards\n\n\n\nor when major changes to systems occur. Guidelines issued by the National Institute for\nStandards and Technology (NIST)6 further describe this certification and accreditation (C&A)\nprocess, which includes the following three phases:\n    \xe2\x80\xa2   Initiation: A categorization of the sensitivity of the system as high, moderate, or low risk.\n        During this phase, the system security plan should be updated. The system security plan\n        provides an overview of the security requirements for the system and describes the\n        security controls in place or planned for meeting those requirements.\n    \xe2\x80\xa2   Certification: A comprehensive assessment of the management, operational, and\n        technical security controls in a system. Security controls testing of a system is performed\n        to support the assessment, which is documented in a security assessment report. Any\n        weaknesses identified during the testing are listed in a plan of actions and milestones\n        (POA&M), which is monitored and updated until the weaknesses are corrected.\n    \xe2\x80\xa2   Accreditation: An official management decision made by a senior agency official to\n        authorize operation of an information system and to explicitly accept the risk to agency\n        operations, agency assets, or individuals based on the implementation of an agreed-upon\n        set of security controls.\nThe Mission Assurance and Security Services (MA&SS) organization has responsibility to\ncertify IRS systems. Part of that role is to ensure security controls are adequately tested. The\nsystem owner uses the results of those tests to authorize the system\xe2\x80\x99s operation and, by doing so,\naccepts the risks associated with that system.\nThe IRS has a long-standing computer security material weakness,7 which includes the C&A\nprocess. We have issued several reports critical of the IRS C&A process, with the most recent\nissued in August 2004.8 We also commented in our Fiscal Year (FY) 2005 report for the Federal\nInformation Security Management Act of 20029 on the IRS\xe2\x80\x99 improvements and continuing\nstruggles with its C&A process.\nWe initiated this audit to review the EFDS security controls. Two other audits were initiated to\nanswer questions raised by the House Ways and Means Subcommittee on Oversight regarding\nthe EFDS. One audit was performed to determine whether the IRS effectively managed annual\nprogramming changes and requested modifications to the EFDS prior to\n\n6\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n7\n  The Department of the Treasury defines a material weakness as \xe2\x80\x9cshortcomings in operations or systems which,\namong other things, severely impair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare\ntimely, accurate financial statements or reports.\xe2\x80\x9d\n8\n  The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material\nWeakness (Reference Number 2004-20-129, dated August 2004).\n9\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                                           Page 2\n\x0c                   A Complete Certification and Accreditation Is Needed to Ensure\n                       the Electronic Fraud Detection System Meets Federal\n                                  Government Security Standards\n\n\n\nPY 2006.10 Another audit (Audit Number 200610003) is being performed to determine the\neffectiveness of the IRS\xe2\x80\x99 procedures for detecting fraudulent and potentially fraudulent refund\nreturns (including inventory controls) and the timely and proper hold and release of refunds.\nIn addition, in June 1999 we reported11 that the EFDS had numerous security weaknesses,\nincluding inadequate audit trails12 and contingency plans. Our review of the IRS\xe2\x80\x99 corrective\nactions to recommendations in this report determined the weaknesses identified in the report\nhave been adequately addressed.\nOur review was performed at the MA&SS organization in New Carrollton, Maryland, during the\nperiod March through June 2006. The audit was conducted in accordance with Government\nAuditing Standards. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n10\n   The Electronic Fraud Detection System Redesign Failure Resulted in Fraudulent Returns and Refunds Not Being\nIdentified (Reference Number 2006-20-108, dated August 2006).\n11\n   Review of the Electronic Fraud Detection System (Reference Number 093009, dated June 1999).\n12\n   A chronological record of system activities that is sufficient to permit reconstruction, review, and examination of\na transaction from inception to final results.\n                                                                                                               Page 3\n\x0c                   A Complete Certification and Accreditation Is Needed to Ensure\n                       the Electronic Fraud Detection System Meets Federal\n                                  Government Security Standards\n\n\n\n\n                                       Results of Review\n\nSecurity Controls for the Electronic Fraud Detection System Client\nServer Application Have Not Been Adequately Tested Since 2001\nIRS policies and Federal Government Security Standards require security controls for all major\napplications13 be independently assessed, certified, and accredited at least every 3 years. Regular\ntesting of security controls is necessary to determine the extent to which the controls are\nimplemented correctly, operating as intended, and meeting the security requirements for the\nsystem. Failure to regularly test security controls can result in undetected security weaknesses\nthat place taxpayer information at risk of unauthorized\ndisclosure, potentially resulting in identity theft or other        Insufficient security controls\nprivacy violations. For the EFDS, insufficient security            for the EFDS, the IRS\xe2\x80\x99 second\ncontrols could place millions of taxpayer records at risk for      largest repository of taxpayer\nunauthorized access or modification, as the EFDS is the               information, could place\n                                                                  millions of taxpayer records at\nIRS\xe2\x80\x99 second largest repository of taxpayer information.           risk of unauthorized access or\nSecurity controls for applications are generally provided                    modification.\nthrough the operating system (e.g., Windows) on which\nthey reside and by the application itself. To reduce the\nresources required for certification, operating system controls do not have to be retested for each\napplication. However, the application\xe2\x80\x99s security controls must be tested. These controls are\noften the last line of defense for protecting the confidentiality, integrity, and availability of\nsensitive information.\nApplication security controls for the EFDS client server application were last tested in\nOctober 2001 as part of the certification that was signed in April 2002. The October 2001 testing\nidentified 10 high-risk weaknesses that have since been addressed.\nIn August 2004, the EFDS was again certified and accredited. However, this C&A relied on\ncertification of the Windows-based computers supporting the system and did not include testing\nof the client server application security controls. The application controls are critical for\nensuring the confidentiality, integrity, and availability of taxpayer information in the EFDS. As\n\n\n\n\n13\n  Major applications are a category of applications used by the IRS that require special attention to security because\nof the severe adverse effect that compromise of those applications would have on the IRS mission, tax\nadministration functions, and/or employee welfare.\n                                                                                                              Page 4\n\x0c                   A Complete Certification and Accreditation Is Needed to Ensure\n                       the Electronic Fraud Detection System Meets Federal\n                                  Government Security Standards\n\n\n\nsuch, this August 2004 EFDS client server application C&A provided only limited assurance that\nthe EFDS security controls were adequate.14\nApplication security controls were not tested because the MA&SS organization omitted steps in\nthe certification process in order to meet its goal of certifying and accrediting 100 percent of IRS\nsystems by the end of FY 2004. Specifically, instead of performing a full certification on each\nsystem, the MA&SS organization focused on obtaining signed accreditation memoranda from\nsystem owners. As a result, many systems were accredited without adequate documentation and\nsecurity testing. In the fourth quarter of FY 2004, the IRS certified and accredited 30 major\napplications, including the EFDS, representing 57 percent of the IRS\xe2\x80\x99 inventory of major\napplications at the time.\nThe Chief, MA&SS, provided us with his perspective on the FY 2004 C&A activities. The\nChief informed us that, upon assuming his new position in FY 2004, he quickly discovered the\nIRS processes for C&A were incomplete and not in accordance with Office of Management and\nBudget Circular A-130 guidance. Of greatest concern was the fact that very few applications or\nsystems had been accredited by the system owners or the Chief Information Officer. Because the\nsystems were already in operation, the Chief, MA&SS, indicated his intent was to have system\nowners sign accreditation memoranda for all major systems so they would recognize their\nresponsibilities for accepting the risks associated with their systems.\nAt the end of FY 2004, the IRS initiated a major effort to at least get a signed accreditation\nmemorandum in place for every major application and general support system. The MA&SS\norganization\xe2\x80\x99s review of the security documentation of many systems at that time, including the\nEFDS, revealed that Security Plans and other security documentation were incomplete and did\nnot contain the level of detail necessary to accurately capture all security considerations.\nWhile accreditation is an important and a required step in the C&A process, NIST guidelines15\nstate, \xe2\x80\x9cit is essential that agency officials have the most complete, accurate, and trustworthy\ninformation possible on the security status of their information systems in order to make timely,\ncredible, risk-based decisions on whether to authorize operation of those systems.\xe2\x80\x9d Because the\nEFDS client server application was tested inadequately, we believe the system owner signed the\naccreditation without a full understanding of the status of EFDS security controls.\n\n\n\n\n14\n   During Fiscal Year 2004, the IRS decided to recategorize its C&A approach to include general support systems,\nmajor applications, and other applications. The IRS assigned all of its other applications to a general support system\nwith the assumption that the general support systems provide the majority of the security controls for the other\napplications.\n15\n   NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information\nSystems.\n                                                                                                              Page 5\n\x0c               A Complete Certification and Accreditation Is Needed to Ensure\n                   the Electronic Fraud Detection System Meets Federal\n                              Government Security Standards\n\n\n\nRecommendation\nRecommendation 1: The Chief, MA&SS, should coordinate with the Chief, CI, to complete\na full security C&A package for the EFDS client server application and supporting computers\nbefore the system is permitted to operate.\n       Management\xe2\x80\x99s Response: The Chief, MA&SS, has already begun coordination with\n       the Chief, CI, to complete a full security C&A of the EFDS which will be conducted\n       prior to the EFDS being placed into operation for the next tax filing season. This C&A\n       will be based on currently available draft and final versions of Federal Government\n       security process guidance. The EFDS application security controls will be tested based\n       on NIST guidance as well as any other available security controls testing process\n       guidance from other Government organizations and industry best practices.\n\nIf the Web-Based Electronic Fraud Detection System Had Become\nOperational, It May Have Allowed Unauthorized Access to Taxpayer\nInformation\nPrior to the IRS decision in April 2006 to stop all system development activities for the EFDS\nweb-based application, we evaluated the effectiveness of its\nJanuary 2006 C&A to determine whether it would have met          Required security controls for\nIRS security standards. Our review identified problems               the EFDS web-based\nwith the completeness of security controls testing and the       application were not tested as\n                                                                        part of its C&A.\nIRS process for reporting omitted security control tests.\nSpecifically, key security controls in the following areas\nwere not tested as part of the C&A process:\n   \xe2\x80\xa2   Data integrity, which ensures data processed by the system are accurate, complete, valid,\n       and protected.\n   \xe2\x80\xa2   Transmission confidentiality, which ensures communications through the EFDS\n       web-based application are encrypted to protect information, such as user passwords and\n       taxpayer information, during transmission between the EFDS application and a user\xe2\x80\x99s\n       computer.\n   \xe2\x80\xa2   User authorizations, which ensure users are authorized to access the system.\nControls in these areas are required by IRS policies and the EFDS security plan. In addition,\nthey are included in the required set of controls for high-risk Federal Government systems\nspecified by the NIST. This is not the first time IRS management has omitted tests in C&A\npackages for the EFDS. Our review of the 2002 C&A for the client server application also\nidentified omitted security tests. Specifically, two configuration management tests were omitted\n\n\n                                                                                           Page 6\n\x0c                A Complete Certification and Accreditation Is Needed to Ensure\n                    the Electronic Fraud Detection System Meets Federal\n                               Government Security Standards\n\n\n\nbecause the tools needed to execute the tests were not available. No alternative tests were\nperformed to ensure the controls were adequate.\nBy not testing these controls, the IRS had limited assurance that sensitive taxpayer information\nstored, processed, and transmitted by the EFDS web-based application would have been accurate\nand reliable. In addition, there are limited assurances this sensitive information would have been\nprotected from unauthorized access, modification, or deletion.\nThe MA&SS organization did not adequately follow the certification process in testing the EFDS\ndue to the imminent implementation date of the System. Testing was conducted in 1 day only a\nfew weeks prior to implementation. In addition, testing was performed on the EFDS training\nsystem and not the actual EFDS production system. IRS management informed us that the 2005\nversion of the System was unusable for testing since it was undergoing significant changes and\nthe EFDS training system was the best system available to use at that time. However, they also\ninformed us that, due to the volume of changes being made to the production web-based\napplication, they were unable to mirror those changes on the training system. Because the\ntraining system did not have actual EFDS data or follow IRS user authorization processes, tests\nfor data integrity, user authorization, and transmission confidentiality controls were not\nperformed.\nIn addition, the MA&SS organization did not prominently disclose the omitted tests in the C&A\nreport. While the omitted tests were identified in the report appendices, they were not discussed\nin the body of the security test report or the security assessment report. Consequently, the\nsystem owners may not have seen all of the necessary information on the status of security\ncontrols to make an appropriate decision on whether to accredit the system.\nWe recognize the IRS has ceased development of the web-based application. As such, the\nrecommendation for this finding pertains to any future C&A work on the EFDS application.\n\nRecommendation\nRecommendation 2: If the EFDS web-based application is redeployed, the Chief, MA&SS,\nshould ensure the certification process fully discloses and explains any omitted tests for security\ncontrols and the associated risks in the body of the security testing report and the security\nassessment report. In addition, criteria should be included for identifying compensating tests and\nestablishing plans for follow-up testing for control tests omitted during the certification.\n       Management\xe2\x80\x99s Response: Although the EFDS web-based application is not being\n       redeployed in 2007, the Chief, MA&SS, will update its processes to ensure that all\n       security testing reports and security assessment reports for EFDS and all other IRS\n       systems explain any omitted tests and the associated risks. The process will ensure\n       criteria will be included for identifying compensating tests and establishing plans for\n       follow-up testing for omitted control tests.\n\n                                                                                              Page 7\n\x0c\x0c\x0c                A Complete Certification and Accreditation Is Needed to Ensure\n                    the Electronic Fraud Detection System Meets Federal\n                               Government Security Standards\n\n\n\n                                                                                    Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of security controls over the\nEFDS by evaluating its C&A packages. To accomplish this objective, we:\nI.     Determined whether the C&A packages for the EFDS client server and web-based\n       applications and the infrastructure at the ECC-MEM effectively identified and addressed\n       security control weaknesses.\n       A. Determined whether the IRS developed an adequate security plan.\n       B. Determined whether the IRS identified and tested the significant security controls for\n          the system and adequately addressed identified security weaknesses.\n       C. Assessed whether the C&A decisions were justified.\n       D. Assessed the adequacy of the contingency planning documents.\nII.    Determined whether security weaknesses identified in our report entitled Review of the\n       Electronic Fraud Detection System (Reference Number 093009, dated June 1999) were\n       adequately addressed in the C&A process.\n       A. Identified the status of IRS corrective actions to the report recommendations.\n       B. Determined whether C&A testing adequately addressed the security weaknesses\n          identified in the report.\n\n\n\n\n                                                                                           Page 10\n\x0c               A Complete Certification and Accreditation Is Needed to Ensure\n                   the Electronic Fraud Detection System Meets Federal\n                              Government Security Standards\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nKent Sagara, Acting Director\nMarybeth Schumann, Audit Manager\nMichael Howard, Lead Auditor\nRichard Borst, Senior Auditor\nJody Kitazono, Senior Auditor\nThomas Nacinovich, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                     Page 11\n\x0c              A Complete Certification and Accreditation Is Needed to Ensure\n                  the Electronic Fraud Detection System Meets Federal\n                             Government Security Standards\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer OS:CIO\nDeputy Chief, Mission Assurance and Security Services OS:MA\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Operations Support OS\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                             Page 12\n\x0c   A Complete Certification and Accreditation Is Needed to Ensure\n       the Electronic Fraud Detection System Meets Federal\n                  Government Security Standards\n\n\n\n                                                     Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 13\n\x0cA Complete Certification and Accreditation Is Needed to Ensure\n    the Electronic Fraud Detection System Meets Federal\n               Government Security Standards\n\n\n\n\n                                                        Page 14\n\x0cA Complete Certification and Accreditation Is Needed to Ensure\n    the Electronic Fraud Detection System Meets Federal\n               Government Security Standards\n\n\n\n\n                                                        Page 15\n\x0cA Complete Certification and Accreditation Is Needed to Ensure\n    the Electronic Fraud Detection System Meets Federal\n               Government Security Standards\n\n\n\n\n                                                        Page 16\n\x0cA Complete Certification and Accreditation Is Needed to Ensure\n    the Electronic Fraud Detection System Meets Federal\n               Government Security Standards\n\n\n\n\n                                                        Page 17\n\x0c'